Ex-IT Worker Gets 21 Months in Prison for Cyberattacks on Iowa School District

Ezekiel Dean Potter, a 34-year-old former senior IT support specialist for Iowa's Saydel Community School District, has been sentenced to 21 months in federal prison for a sustained cyberattack campaign against his former employer that lasted roughly 21 months. Potter had worked for the Des Moines-area district from May 2022 to April 2023, and prosecutors say he retained valid access credentials long after his departure. The U.S. government described Potter as "a plague on the Saydel Community School District," noting that his actions disrupted classroom operations, deleted employee accounts, and forced the district to spend tens of thousands of dollars on remediation. Organizations concerned about credential exposure after employee offboarding can verify whether their corporate email addresses have appeared in known leaks using an email breach checker and rotate compromised credentials immediately.

According to court filings, Potter's attacks began shortly after his employment ended when the district's Facebook page was deleted. He later infiltrated the district's Apple School Manager account, wiping user accounts, passwords, phone numbers, billing records, and device management data—effectively disabling management of district MacBooks and iPads for about a week while staff worked with Apple to regain access. The campaign escalated in January 2025 when Potter compromised a Google administrator account to access the Schoology learning management system and delete an IT employee's account, disrupting teacher access to classes for roughly two hours. A week later, he used another administrator account to wipe nine Gmail accounts belonging to current and former district employees, including the superintendent and IT director. This pattern of credential reuse and lateral movement highlights why strong, unique passwords should be enforced at every privilege level—IT leaders can audit their own password hygiene with a password checker.

When Google began sending security alerts about unauthorized access, Potter switched to a VPN service to obscure his activity. Federal investigators ultimately traced the intrusions to IP addresses linked to Potter's subsequent employers, Casey’s Store Support Center and The Printer Inc. (TPI). After Potter left TPI in January 2025, he asked a former coworker to retrieve and wipe a USB drive from his desk. The coworker instead turned the drive over to investigators, who reportedly found spreadsheets containing usernames and passwords tied to the school district. Potter's attempt to mask his traffic with a VPN underscores a growing detection challenge for security teams; a VPN/proxy detector can help identify traffic originating from anonymizing services and flag suspicious sessions for further review. The case serves as a stark reminder of the insider-threat risks that linger when departing employees' access is not promptly revoked and credentials are not rotated.